This knowledge base article tends to explain why the warnings like “Incomplete SSL Certificate Chain” or “Broken SSL Chain” occur and how you can quickly fix it.

SSL concepts sound very straightforward in that you deploy an SSL certificate to protect your website, visitors, and make their communication encrypted to avoid malicious actors’ intervention. Most people do not bother diving deep into SSL concepts as they rather prefer professionals to handle it for them when it comes to SSL certificate configuration and troubleshooting. Hence, if you are going to fix it yourself, then it is good if you carry an understanding of a few SSL-related terms alongside fixing it effectively. So, let’s understand what the SSL Chain of Trust is as the chain issue raises when the SSL chain of trust is affected.

What is the SSL Chain of Trust?

Let’s understand first what Certificate Authority (CA) is. A Certificate Authority (CA), also known as Certification Authority (CA), is an organization that issues and manages digital security certificates, e.g., SSL/TLS certificates. These Certificate Authorities (CA) are the trusted third-party entities (such as, DigiCert, Comodo, etc) and their digital certificates are in general the data files to validate the identities of entities such as company, website, etc, securely tied with the cryptographic keys, which are used for secure communication on an unsecured network, e.g., internet. So, when you are discussing these terms such as Certificate Authorities (CA), root and intermediate certificates, and how SSL certificates are chained, then you are referring to a concept called “SSL Chain of Trust”.

Usually, when you get/buy an SSL certificate from CAs, they provide you with your dedicated application certificate for your website along with the intermediate certificate. Web browsers maintain the list of the trusted root CA certificates, which are preinstalled and occasionally update automatically. So, when a web browser loads your SSL certificate, it starts chaining your application certificate to the intermediate certificate first. Then, it continues chaining until it reaches the trusted CA’s root certificate. So, this whole mechanism forms the SSL Chain of Trust— an ordered list of certificates that permit the end-user client such as a web browser acting as receiver to certify that the website’s server acting as the sender and the CA are trustworthy.


Now, let’s understand the reasons why the “Incomplete SSL Certificate Chain” or “Broken SSL Chain” occurs.

Why Incomplete Certificate Chain Warning?

Following are the reasons why warnings like “Incomplete SSL Certificate Chain”, “Broken SSL Chain” occurs:

  • When you deploy a Custom SSL Certificate using the Cloudways Platform, then you are required to add your website’s SSL certificate along with the intermediate certificate (in some cases, the Private Key is needed as well). So, if you miss installing the intermediate certificate or upload the wrong one, then it can not be chained back and the browsers will not trust the certificate and may generate a broken chain or similar sort of warnings.

  • Or, your intermediate certificate becomes invalid due to revocation or expiration, then you may also get to see such warnings.

How to Identify the Incomplete Certificate Chain Warning

We highly recommend that you verify your SSL certificate to see if your website has a broken chain issue. It is not necessary if you do not see such a warning in your browser, then your website visitors do not see it too so identifying this issue is the first step, so you don’t leave your visitors and website vulnerable.

Let’s see how different third-party SSL checking tools give hints when the SSL certificate chain is broken.

Qualys SSL Labs

That’s how Qualys SSL Labs warns when the SSL certificate chain is broken.

SSL Shopper

That’s how SSL Shopper warns when the SSL certificate chain is broken.

Why No Padlock

That’s how Why No Padlock warns when the SSL certificate chain is broken.

Comodo SSL Store

That’s how Comodo SSL Store warns when the SSL certificate chain is broken.


How to Fix the Incomplete Certificate Chain Warning

To fix this issue, you need to modify/add an active intermediate certificate so if you are a Cloudways client then it is just a matter of copy and paste instead of running several commands on your server.

Step# 1

First of all, you need to identify if you hold possession of your intermediate certificate or not. When you buy an SSL certificate from any SSL vendor, they provide you with your dedicated server/application certificate in .crt or .cer file format (e.g., mydomain.crt/mydomain.cer) along with the intermediate certificate in .ca or .ca-bundle file format (e.g., mydomain.ca/mydomain.ca-bundle).

So, if you have your application certificate (.crt/.cer file) along with the intermediate certificate (.ca/.ca-bundle file) present, then you can proceed to Step# 2. Else, if you do not have an intermediate certificate, then you need to generate one, so click “Generate Intermediate Certificate” below to see the steps.

Generate Intermediate Certificate

To generate an intermediate certificate, you can use any third-party tool such as What’s My Chain Cert. Once you visit this website, you need to paste your application’s SSL certificate (.crt/.cer file) content first and click Generate Chain as shown in the screenshot below.

Tip

To view and copy your certificate file content (.crt/.cer file), you can use any text editor such as Notepad for Windows, TextEdit for Mac. Please note that you need to copy and paste the whole certificate including —–BEGIN CERTIFICATE —– & —– END CERTIFICATE —– lines.

A downloadable file by your domain name will be available after clicking on the Generate Chain. The downloaded file will be your intermediate certificate.

Step# 2

Now, log in to the Cloudways Platform. Once logged in, navigate to the Servers tab from the top menu bar and choose your target server on which your desired application/website is deployed.

Next, click www located at the right-hand side of the server box.

Select your target application from the drop-down list.

In the Application Management menu, select an SSL Certificate.

Step# 3

Here, you will either see the Re-Install SSL option or you will see an Install Certificate option.

So, to keep things simple, please select which option you see on your screen from the given below choices as the process varies for both.

I See “Install Certificate” Option

Step (Ⅰ)

Click Install Certificate to install the SSL certificate and its intermediate certificate.

Step (Ⅱ)

Now, a dialog box will appear prompting for the Certificate Code and CA Chain.

  • Certificate Code refers to your application SSL certificate file content. Most of the SSL vendors usually provide this in .crt or .cer file format (e.g., mydomain.crt/mydomain.cer). View screenshot.

  • CA Chain refers to the certificate chain (intermediate certificate). It is usually provided in .ca or .ca-bundle file format (e.g., mydomain.ca/mydomain.ca-bundle). View screenshot.

Please note that these file formats and standards can vary, considering there are many SSL certificate providers with many different formats and standards. Still, if you need any help, you can always contact us via Live Chat or create a support ticket.

Finally, paste all the necessary details and hit Submit to deploy the certificate with the correct chain.

Tip

To view and copy your certificate file content (.crt/.cer file), you can use any text editor such as Notepad for Windows, TextEdit for Mac. Please note that you need to copy and paste the whole certificate including —–BEGIN CERTIFICATE —– & —– END CERTIFICATE —– lines.

That’s it! Your SSL certificate with the intermediate chain should be deployed in a few minutes. You may also see a dialog box prompting you to force HTTPS redirection if you have not forced it through the Cloudways Platform previously.

Important

If you use any Web Application Firewall (WAF) services such as Cloudflare, Sucuri, etc or if you have implemented HTTPS redirection already using any application plugin, or by modifying the .htaccess file of your application, then you do not need to force HTTPS redirection again from the Cloudways Platform to avoid your website running into redirection loops. But, if you want to force HTTPS redirection from the Cloudways Platform, then you need to disable any redirection mechanism working elsewhere first.

So, choose to Enable HTTPS or simply skip it by clicking Not Now. Please note that you can also force HTTPS redirection later as well.

Let’s move to the final step of verifying the SSL certificate to ensure that the issue is resolved.

I See “Re-Install SSL” Option

Step (Ⅰ)

Click Re-Install Certificate to install the SSL certificate and its intermediate certificate.

Step (Ⅱ)

Now, you will be prompted to enter the CRT content and Key content.

  • Here, CRT content refers to your application SSL certificate file content. Most of the SSL vendors usually provide this in .crt or .cer file format (e.g., mydomain.crt/mydomain.cer) View screenshot.

  • You also need to concatenate your CA Chain, which refers to the certificate chain (intermediate certificate). It is usually provided in .ca or .ca-bundle file format (e.g., mydomain.ca/mydomain.ca-bundle). View screenshot. For Concatenation, you can use any text editor such as Notepad for Windows, TextEdit for Mac. View screenshot.

  • All SSL certificates require a private key to work. The private key is a separate file with an extension .KEY that’s used in the encryption/decryption of data sent between your server and the connecting users. A private key is created by the certificate owner—when you request your certificate with a Certificate Signing Request (CSR).

Please note that these file formats and standards can vary, considering there are many SSL certificate providers with many different formats and standards. Still, if you need any help, you can always contact us via Live Chat or create a support ticket.

Finally, paste all the necessary details and click SUBMIT to deploy the certificate with the correct chain.

Tip

To view and copy your certificate file content (.crt/.cer file), you can use any text editor such as Notepad for Windows, TextEdit for Mac. Please note that you need to copy and paste the whole certificate including —–BEGIN CERTIFICATE —– & —– END CERTIFICATE —– lines.

That’s it! Your SSL certificate with the intermediate chain should be deployed in a few minutes. You may also see a dialog box prompting you to force HTTPS redirection if you have not forced it through the platform previously.

Important

If you use any Web Application Firewall (WAF) services such as Cloudflare, Sucuri, etc or if you have implemented HTTPS redirection already using any application plugin, or by modifying the .htaccess file of your application, then you do not need to force HTTPS redirection again from the Cloudways Platform to avoid your website running into redirection loops. But, if you want to force HTTPS redirection from the Cloudways Platform, then you need to disable any redirection mechanism working elsewhere first.

So, choose to Enable HTTPS or simply skip it by clicking Not Now. Please note that you can also force HTTPS redirection later as well.

Let’s move to the final step of verifying the SSL certificate to ensure that the issue is resolved.

How to Fix the Incomplete Certificate Chain Warning

This is the final step to verify your SSL certificate and we have created a self-explanatory guide for it. Verification is done so you can ensure that changes are successfully made and the issue is resolved. If you need any help, you can always contact us via Live Chat or create a support ticket.

That’s it! We hope this article was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.

Did this answer your question?